1.Pursuant to s37AI of the Federal Court of Australia Act 1976 (Cth), on the ground set out in s 37AG(1)(a), until the conclusion of the first case management hearing at which the first and second respondents appear, or further order, the information in the following documents is not to be disclosed or published other than to the Court, the parties and their legal representatives:

(a)the following parts of Exhibit SJH-1 to the affidavit of Sophie Jane Higgins madeon 9 April 2020:

(f)any orders made by the Court on the hearing of this interlocutory application and any reasons for judgment, (together, Documents),

on the first respondent in the United States of America, in accordance with art 5 of the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, done at the Hague on 15 November 1965 (Hague Convention).

3.Pursuant to r 10.42 and r 10.43(2) of the Rules, the applicant be granted leave to serve the Documents on the second respondent in the Republic of Ireland:

(a)in accordance with art 5 of the Hague Convention; and

(b)by sending the Documents to the registered address of the second respondent in accordance with s 51(1) of the Companies Act 2014 of Ireland and art 10(a) of the Hague Convention.

4.Pursuant to r 10.24 of the Rules, the applicant may serve the Documents on the first respondent by sending the Documents by email to Ms Peta Stevenson (peta.stevenson@au.kwm.com) and Mr Luke Hawthorne (luke.hawthorne@au.kwm.com) of King & Wood Mallesons.

5.Pursuant to r 10.24 of the Rules, the applicant may serve the Documents on the second respondent by sending the Documents by email to:

6.The first and second respondents file a notice of address for service in accordance with r 5.02 of the Rules within 14 days after service upon them of the originating application.

Note:Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

THAWLEY J:

AINTRODUCTION

1The Australian Information Commissioner commenced this proceeding against Facebook Inc and Facebook Ireland Limited on 9 March 2020alleging contraventions of s 13G of the Privacy Act 1988 (Cth) as in force on 5 November 2018. The proceeding wascommenced by the filing of an originating application, a concise statement and a statement of claim. In her originating application, the Commissioner seeks declarations under s 21 the Federal Court of Australia Act 1976 (Cth) (FCA Act) and civil pecuniary penalties under s 80W of the Privacy Act.

2The Commissioner alleges that, from 12 March 2014 to 1 May 2015, Facebook Inc and Facebook Irelanddid an act, or engaged in a practice, that was a serious or repeated interference with the privacy of approximately 311,127 Australian Facebook users, contravening paragraphs (a) and (b) of s 13G of the Privacy Act.

3Neither of the respondents has yet been servedpersonally with any document in the proceedings. Facebook Inc is a company incorporated in Delaware and based in California in the United States of America. Facebook Ireland is a company based in the Republic of Ireland.

4By an ex parteinterlocutory application dated 9 April 2020, the Commissioner seeks orders under r 10.42 and r 10.43(2) of the Federal Court Rules2011 (Cth) granting her leave to serve various documents on Facebook Inc and Facebook Ireland in accordance with art 5 of the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, done at the Hagueon 15 November 1965 (Hague Convention). The documents which the Commissioner seeks leave to serve are the originating application, the concise statement, the statement of claim, the interlocutory application, the various affidavits relied upon, the written submissions and the orders of the Court on the hearing of the interlocutory application together with these reasons for judgment (the Court Documents).

5The Commissioner also sought orders for substituted service under r 10.24.

6Before turning to whether those orders should be made, it is necessary to deal with a preliminary matter, namely whether interim suppression or non-publication orders should be made.

BINTERIM SUPPRESSION OR NON-PUBLICATION ORDERS

7The Commissioner applied forinterim suppression and non-publication orders under s 37AF and s 37AI of the FCA Actprohibiting the publication or disclosure (other than to the Court, the parties and their legalrepresentatives)ofcertaininformationwhich FacebookInc and Facebook Ireland claimed was confidentialinformation and which they provided to the Commissioner during her preliminary inquiries and subsequent investigation under s 42(2) ands40(2)of the Privacy Act.

8The Commissioner relies upon the claimedconfidentialinformationin support of her interlocutory application seeking leave to serve the respondents outside Australia. The Commissioner submitted that it was appropriate forhertoseektheinterimsuppression orderpending the respondents being served withthe originatingapplication becausetherespondents have indicated their position thattheinformation is confidential on the basisthat it is:about the respondents’ commercial operations that is secret or known only to a limitedgroup;potentially damaging to the respondents’ business if it is accessible by a competitor;ornot public and may indirectly identify individuals.Searches made bytheCommissioner have not suggested that the information is in the publicdomain.

9Section37AIoftheFCAActprovidesthe Court with the power to make an interim suppression order, without determining the merits of the application, to have effect until the application is determined. Section 37AI provides:

Interim orders

1If an application is made to the Court for a suppression order or non-publication order, the Court may, without determining the merits of the application, make the order as an interim order to have effect, subject to revocation by the Court, until the application is determined.

2If an order is made as an interim order, the Court must determine the application as a matter of urgency.

10The Commissioner applies for orders under s 37AF, on the ground identified in s 37AG(1)(a), for the purpose of engaging the requirement in s 37AI that there be an application for a suppression or non-publication order. It is permissible and appropriate for a party making an ex parte application to adopt this course in order to preserve and not frustrate a known claim for confidentiality of a person against whom the ex parterelief is sought. Such a course is consistent with s 37AG(1)(a).

11I am satisfied it is appropriate on the evidence adduced to make interim orders under s 37AI, effective until the conclusion of the first case management hearing at which the respondents appear.

CSERVICE OF DOCUMENTS OUTSIDE OF AUSTRALIA

C.1Relevant provisions of the FCR

12Rule 10.42 provides that, subject to r 10.43, an originating application may be served on a person in a foreign country in a proceeding that consists of, or includes, any one or more of the kinds of proceeding mentioned in the table in the rule.

13Rule 10.43(2) provides:

A party may apply to the Court for leave to serve an originating application on a person in a foreign country in accordance with a convention, the Hague Convention or the law of the foreign country.

14Rule 10.43(4) provides that, for r 10.43(2), the party must satisfy the Court of three matters, namely that:

(1)the Court has jurisdiction in the proceeding;

(2)the proceeding is of a kind mentioned in r 10.42;

(3)the party has a prima facie case for all or any of the relief claimed in the proceeding.

15Rule 10.44 provides for the same requirements in relation to an application by a party for leave to serve a document filed in or issued by the Court other than an originating application.

16Rule 10.43(3) provides:

The application under subrule (2) must be accompanied by an affidavit stating:

(a)the name of the foreign country where the person to be served is or is likely to be; and

(b)the proposed method of service; and

(c)that the proposed method of service is permitted by:

(i)if a convention applies — the convention; or

(ii)if the Hague Convention applies — the Hague Convention; or

(iii)in any other case — the law of the foreign country.

C.2Compliance with rule 10.43(3)

17The interlocutory application was accompanied by an affidavit complying with r 10.43(3). The affidavit of Mr Zwi stated that Facebook Inc was in the USA and that Facebook Ireland was in the Republic of Ireland. The proposed method of service of Facebook Incwas stated to be by:

(1)applying to the Registrar, in the Registrar’s capacity as a forwarding authority undertheHagueConvention,forarequestforserviceintheUSAundertheHague Convention of the Court Documents upon Facebook Inc, pursuant to r10.64;

(2)providing to the Registrar three copies of each of the followingdocuments:

(a)adraftrequestforserviceabroadofjudicialdocumentsandcertificate,in accordance with Form 25, being the form of model letter of request and certificate of service prescribed by theCourt;

(b)the CourtDocuments;

(c)a summary of the documents to be served, in accordance with Form26;

(d)a written solicitor’s undertaking to be personally liable for all costs incurred by the Registrar, in accordance with r10.64(3);

(3)the Registrar, if satisfied, signing the requests for service abroad and forwarding copies of the relevant documents to ABC Legal Service (ABC Legal), contractor for the US Department of Justice, Civil Division, Office of International Judicial Assistance, for service upon Facebook Inc in accordance with the Hague Convention, pursuant to r10.65;

(4)ABC Legal serving the documents by way of formal service, in accordance with theprovisionsofsubparagraph(a)ofthefirstparagraphofart5oftheHague Convention, by a method prescribed by the USA’s internal law for the service of documents in domestic actions upon persons who are within its territory. The Hague Convention website page relating to USA describes the prescribed methods asfollows:

Formal Service (Art 5(1)(a))

Personal service is the method used by ABC Legal Services (ABC Legal) in executing all requests.

(5)uponABCLegalhavingeffectedserviceuponFacebookInc,ABCLegalproviding to the Registrar a Certificate of Service in respect of Facebook Inc, for filing in the proceedings pursuant to r10.66.

18The proposed method of service of Facebook Ireland was stated to beby:

(1)applying to the Registrar, in the Registrar’s capacity as a forwarding authority undertheHagueConvention,forarequestforserviceinIrelandundertheHague Convention of the Court Documents upon Facebook Ireland, pursuant to r10.64;

(2)providing to the Registrar three copies of each of the followingdocuments:

(a)adraftrequestforserviceabroadofjudicialdocumentsandcertificate,in accordance with Form 25, being the form of model letter of request and certificate of service prescribed by theCourt;

(b)the CourtDocuments;

(c)a summary of the documents to be served, in accordance with Form 26; and

(d)a written solicitor's undertaking to be personally liable for all costs incurred by the Registrar, in accordance with r10.64(3);

(3)the Registrar, if satisfied, signing the requests for service abroad and forwarding copies of the relevant documents to the Master of the High Court of Ireland (Master), for service upon Facebook Ireland in accordance with the Hague Convention, pursuant to r10.65;

(4)the Master serving the documents, in accordance with the provisions of subparagraph (a) of the first paragraph of Article 5 of the Hague Convention, by a method prescribed by Ireland’s internal law for the service of documents in domesticactionsuponpersonswhoarewithinitsterritory;or,inaccordancewith the second paragraph of Article 5 of the Hague Convention, by delivery to the addressee,ifheorsheacceptsitvoluntarily.TheHagueConventionwebsitepage relating to Ireland describes the prescribed methods asfollows:

Formal Service (Art 5 (1)(a))

Personal or by post.

Informal delivery (Art 5(2))

This method can be used where the addressee has indicated in writing thathewillacceptservice,orthatservicemaybeeffectedbydelivering documents to an intermediary e.g. a solicitor acting forhim.

(5)upon the Master having effected service upon Facebook Ireland, the Master providing to the Registrar a Certificate of Service in respect of Facebook Ireland, for filing in the proceedings pursuant to r10.66.

19TheCommissioneralsosoughtleave, if necessary, to serve Facebook Ireland under the law of the Republic of Ireland and in accordance with art 10(a) of the Hague Convention. The Commissioner’s proposed method of service under this course is, in accordance with s 51(a) of the Companies Act Ireland andart10(a) of the Hague Convention, to post the Court Documents to the registered business address of FacebookIreland.

20The Federal Court of Australia’s Overseas Service and Evidence Practice Note (GPN-OSE) issued on 25 October 2016 (Practice Note) requires a party applying for leave to servea document inacountryotherthanAustralia to include in its application information obtained from the Australian Government Attorney-General’s Department in relation to the appropriate method of transmitting documents for service in thatcountry.

21Mr Zwiset outthedetailsoftheinformationobtainedbyhimfrom the Private International Law Section of the Attorney-General’s Department in respect of service of documents in the USA and Ireland, as required by the PracticeNote.

22The methods of service identified above are in accordance with the requirements of the Hague Convention, as set out in the materials annexed to Mr Zwi’s affidavit.

C.2Rule 10.43(4)(a): Jurisdiction

23This Court has such original jurisdiction as is vested in it by the laws made by the Parliament: s 19(1) of the FCA Act. Section 80W(1) of the Privacy Act, being a law made by the Parliament, provides that the Commissioner “may apply to the Federal Court … for an order that an entity, that is alleged to have contravened a civil penalty provision, pay the Commonwealth a pecuniary penalty”. Section 80W(3) provides that “[i]f the court is satisfied that the entity has contravened the civil penalty provision, the court may order the entity to pay the Commonwealth such pecuniary penalty for the contravention as the court determines to be appropriate”. Those matters also provide jurisdiction through s 39B(1A)(c) of the Judiciary Act 1903 (Cth) which provides that the original jurisdiction of the Court includes jurisdiction in any matter “arising under the laws made by the Parliament, other than a matter in respect of which a criminal prosecution is instituted or any other criminal matter”.

24Further, the Commissioner seeks declaratory relief. Section 39B(1A)(a) of the Judiciary Act provides that “[t]he original jurisdiction of the Federal Court of Australia also includes jurisdiction in any matter… in which the Commonwealth is seeking an injunction or a declaration”. The Commissioner is an emanation of the Commonwealth.

25The Court has jurisdiction in the proceeding because it has jurisdiction over the subject matter of the proceeding: BrayvF Hoffman-LaRoche(2003)130FCR317 at [30]-[31](CarrJ);[154](BransonJ). It follows that r 10.43(4)(a) is satisfied.

C.3Rule 10.43(4)(b): Is the proceeding mentioned in r 10.42?

26The Commissioner noted that the following kinds of proceeding are mentioned in the table in r 10.42:

17.1a proceeding based on a cause of action arising in Australia (item 1);

17.2a proceeding based on a contravention of an Act that is committed in Australia (item 12);

17.3a proceeding in relation to the construction, effect or enforcement of an Act, regulations or any other instrument having, or purporting to have, effect under an Act (item 14);

17.4a proceeding seeking any relief or remedy under any Act, including the Judiciary Act (item 15); and

17.5a proceeding in which, if the person to be served is a corporation – the corporation carries on a business in Australia (item 18(b)).

27As the Commissioner submitted, item 14 applies. The “proceeding [is] in relation to the construction, effect or enforcement of an Act”, namely the Privacy Act and the FCA Act.It is not necessary to determine whether any of the other items also apply – cf: Australian Competition and Consumer Commission v Yellow Page Marketing BV [2010] FCA 1218 at [23] (Gordon J). It follows that r 10.43(4)(b) is satisfied.

C.4Rule 10.43(4)(c): Does the Commissioner havea prima facie case?

28The Commissioner provided evidence and detailed written submissions in support of the interlocutory application which addressed the issue of whether there was a prima facie case against the respondents. That evidence and those submissions are proposed to be served out of Australia together with the documents which commenced these proceedings. Parts of that material are the subject of the interim suppression and non-publication orders I propose to make under s 37AI.

29For the reasons given below, I am satisfied that the material establishes a prima facie case in the limited sense described below. I express no view about the strength of the prima faciecase other than that it is sufficient to warrant making orders allowing for service outside of Australia.

C.4.1Relevant principles

30The requirement to demonstrate a prima facie case in the context of an application for leave to serve documents outside Australia is “not particularly onerous”: Yellow Page Marketing at [25].It is relevant to assess whether sufficient material is placed before the Court to show:

(1)that findings of fact are available, and inferences are open to be drawn, which would support the relief claimed: Australian Securities and Investment Commission v Axis International Management Pty Ltd [2008] FCA 1605 at[14] (Gilmour J), citing Bell Group Ltd (In Liq) v Westpac Banking Corporation (1996) 20 ACSR 760 at 763;

31Section 75 of the Evidence Act 1995 (Cth) is relevant tothe assessment of the sufficiency of the material adduced, because it provides that the hearsay rule doesnot apply in an interlocutory proceeding, if the party adducing the evidence also adduces evidence of the source of the hearsay evidence – cf: Brayat[56]and[58](CarrJ); Yellow Page Marketing at [25] (GordonJ).

32The Commissioner only need establish a prima facie case in relation to one cause of action or remedy: Israel Discount Bank at [48]. Under s 13G of the Privacy Act, an entity will be liable for a civil penalty if: (a) it does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or (b) repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals. Whilst the Commissioner only needs to establish a prima facie case under one of these paragraphs, for the reasons given below, the Commissioner has established a prima facie case under both.

C.4.2Whether respondents are entities and organisations within the Privacy Act

33Section13GofthePrivacyActfocusesonactsorpracticesof“entities”. An “entity” is defined as including an “organisation” which is defined as having the meaning in s 6C: s 6(1). The extra-territorial operation of the Privacy Act relevantly depends on whether the respondent is an “organisation”: s 5B(1A).

34An organisation includes a body corporate “that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory”: s 6C(1). A body corporate is not a small business operator if it carries on a business that has an annual turnover of more than $3 million: s 6D(4).

35I am satisfied that Facebook Inc and Facebook Ireland are “organisations” for the purposes of the PrivacyAct.

C.4.3Extra-territorial operation of the Privacy Act

36Section 5B of the Privacy Act includes:

5B Extra-territorial operation of Act

Agencies

…

Organisations and small business operators

(1A)This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link.

Note: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).

Australian link

(2)An organisation or small business operator has an Australian link if the organisation or operator is:

(a)an Australian citizen; or

(b)a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or

(c)a partnership formed in Australia or an external Territory; or

(d)a trust created in Australia or an external Territory; or

(e)a body corporate incorporated in Australia or an external Territory; or

(f)an unincorporated association that has its central management and control in Australia or an external Territory.

(3)An organisation or small business operator also has an Australian link if all of the following apply:

(a)the organisation or operator is not described in subsection (2);

(b)the organisation or operator carries on business in Australia or an external Territory;

(c)the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.

…

37The Commissioner did not contend that s 5B(2) applied. She contended that each paragraph of s 5B(3) was satisfied.

38Relevant to s 5B(3)(c), s 6(1) defines “collects” and “holds” in the following way:

collects: an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.

holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.

39In my view, there is a prima facie case, in the limited sense earlier described, that each of the paragraphs of s 5B(3) is satisfied. As to s 5B(3)(b), the evidence, some of which is the subject of the proposed interim suppression or non-publication order, establishes a prima facie case that the respondents carried on business in Australia in the relevant sense – cf: Tiger Yacht Management Ltd v Morris (2019) 268 FCR 548 at [50]-[54] (McKerracher, Derrington and Colvin JJ); Anchorage Capital Partners Pty Ltd v ACPA Pty Ltd (2018) 259 FCR 514 at [99] (Nicholas, Yates and Beach JJ); Australian Competition and Consumer Commission v Valve Corporation (No 3) (2016) 337 ALR 647 at [199]-[204] (Edelman J). The prima facie case arises from material which is capable of supporting the conclusion that:

(1)Australian users contracted with Facebook Ireland, which described itself as the “data controller for Australian Facebookusers”;

(2)Facebook Ireland provided the Facebook service to Australian users as agent for Facebook Inc.

40As to s 5B(3)(c), whilst substantial argument might be anticipated, the materialwas sufficient to establish a prima facie case that Facebook Ireland and Facebook Inc collected personal information in Australia. Facebook Ireland stated it was the provider of the Facebook service to Australian users and that it was responsible, in that capacity, for the collection and storage of personal information of those users through the Facebook service. The material is less clear about whether Facebook Ireland collected or stored personal information “in Australia” and there may be debate about what facts must be established to satisfy that requirement. When account is taken of inferences which can be drawn, sufficient has been shown in terms of a prima facie case for service out of the jurisdiction.

41The contractual relationship between Facebook Ireland and Facebook Inc is such that a prima facie case is also shown as against Facebook Inc.

C.4.4Whether prima facie contraventions

42The phrase in s 13G, “interference with the privacy of an individual”, is defined in the Privacy Act as having the meaning given by sections 13 to 13F: s 6(1). In summary, an act or practice of an “APP entity” is an interference with the privacy of an individual if the act or practice breaches an “APP” in relation to personal information about theindividual. An “APP entity” includes an “organisation”: s 6(1). “APP” is an acronym for “Australian Privacy Principle”.

43The phrase“AustralianPrivacyPrinciple”hasthemeaninggiventoitbys14: s 6(1).Section14(1)providesthattheAPPsaresetout in the clauses of Schedule1.The Commissioner relies upon contended breaches of APP 6.1 and APP 11.1 in alleging that the respondents engaged in acts or practices constituting “serious” and “repeated” interference with the privacy of individuals in contravention of paragraphs (a) and (b) of s 13G.

APP 6.1 – use or disclosure of personal information

44APP 6.1 (contained in Part 3 of Schedule 1) provides:

Part 3 – Dealing with personal information

6 Australian Privacy Principle 6 – use or disclosure of personal information

Use or disclosure

6.1If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:

(a)the individual has consented to the use or disclosure of the information; or

(b)subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.

Note: Australian Privacy Principle 8 sets out requirements for the disclosure of personal information to a person who is not in Australia or an external Territory.

45It is not necessary for present purposes to set out cl 6.2 or 6.3

46The Commissioner summarised the critical underlying facts in the following way, these facts being sufficiently supported, at least for the purposes of the present application, by the material presented on the interlocutory application (footnotes omitted):

(6) The Graph API and Facebook Login (Statement of Claim[25]-[38])

23.During the Relevant Period, apps could request personal information from Users’ Facebook Accounts using a tool called the Graph Application Programming Interface (Graph API). The Graph API allowed apps to create a link or interface between the Facebook Website’s “social graph” (being the network of connections through which Users communicated information on the Facebook Website) and the app.Version 1 of the Graph API was in place during the Relevant Period (Graph APIV1).

24.The link or interface between the Facebook Website and the app was facilitated by a further tool known as “Facebook Login”. This allowed an installer of an app (Installer) to utilise their Facebook account credentials (username and password) to login to an app. Where an Installer did so, a screen or page would appear on the apprequestingthe Installer’s permission for the app to request, through the Graph API, certain categories of the User’s personal information as that User had provided to the Facebook Website (Permission Request).

25.Through the Graph API V1, an app could request a wide range of information about not only those Installers who had responded to Permission Requests, but also their Facebook friends who had not installed the app (Friends). This included requests for sensitive information. In response to a request from an app, the Respondents disclosed information about Installers and their Friends to the app, subject to the User’s privacy settings on the Facebook Website … However, a User’s “privacy settings” did not alone control how a User’s personal information was shared with apps, including apps installed by Users’ Friends. Unless a User modified their “app settings”, various categories of the User’s personal information, including sensitive information, would be disclosed to apps installed by their Friends by default …

26.Although the Respondents had in place terms and conditions about what kinds of information an app could request (see the Platform Policy, the relevant terms of which are pleaded at [35] of the Statement of Claim), the Respondents relied upon app developers’ self-assessment that an app complied with these rules. In particular, as is alleged at [36] of the Statement of Claim, the Respondents did not have in place any procedures to approve an app’s ability to make requests of the Graph API V1; nor did it review the privacy policies of the apps themselves.

27.On 30 April 2014, a new version of the Graph API (Graph API V2) was launched by the Respondents. Under Graph API V2, app developers wishing to request more than basic information from Friends and Installers had to undergo a manual app review process (App Review). Such requests would only be approved where, among other things, the additional information clearly improved the User's experience of the app. However, Facebook allowed apps using Graph API V1 a 12-month ‘grace period’ (Grace Period) to migrate to Graph API V2.

(7)The “This is Your Digital Life” App (Statement of Claim [40]-[61])

28.The “This is Your Digital Life” App was a personality survey or quiz. It was developed by Dr AleksandrKogan, a researcher, who later established Global Science Research Limited (GSR).

29.The Graph API V1 allowed the “This is Your Digital Life” App to request information from the Facebook Accounts of 305,000 Facebook Users globally who were also Installers of the app, of which approximately 53 were Australian. The Graph API also allowed the app to request from the Respondents the personal information of approximately 86,300,000 Facebook Users globally (approximately 311,074 of whom were Australian Facebook Users) who were Friends (that is, they did not install the app themselves). The Australian Installer and Friends are referred to as the Affected Australian Individuals. Dr Kogan and/or GSR further disclosed personal information it obtained from the Respondents to third parties, including Cambridge Analytica Ltd, and/or its parent company, for profit.

30.On 6 May 2014, the developers of the “This is Your Digital Life” App submitted an application for App Review. On 7 May 2014, the Respondents rejected that application, on the basis that the app would not be using the data gained through extended permissions to enhance a User's in-app experience. Despite this, the Respondents permitted Dr Kogan and/or GSR to continue requesting Installers’ and Friends’ information using the Graph API V1 for a further 12 months until the end of the Grace Period on 1 May 2015. In effect, this meant that Dr Kogan and/or GSR were able to continue requesting Friends’ and Installers’ information under Graph API V1 until 1 May 2015.

47The Commissioner contended that:

(1)the primary purpose for which the respondents collected the personalinformationoftheaffected individualswastoallowthemtobuild anonlinesocialnetworkwithotherusersontheFacebookwebsite;

(2)thedisclosure of that information to the “This is Your Digital Life” app was not for that primary purpose and was,rather, forasecondarypurpose.The “This is Your Digital Life” app did not operate with a view to enabling users to build an online social network with other users on the Facebook website. It instead provided a separate service, on a third party app, which allowed installers of the appto undertake a personality survey orquiz.

48The Commissioner contended that, on each occasion on which Facebook Ireland and Facebook Inc disclosed the personal information of the affected individuals to the “This is Your Digital Life” app, this was an act or practice that was a serious interference with the privacy of each such individual in contravention of s 13G(a).

49The Commissioner also contended that the repeated act or practice of disclosing the personal information of the affected individuals to the “This is Your Digital Life” app was an act or practice that contravened the privacy of those individuals, in contravention of s 13G(b). The Commissioner relied upon material which arguably showed that the respondents were likely, or at least potentially likely, to have repeatedly disclosed the personal information of 53 Australianinstallers of the app and 311,074 Australian friends of installers of the app to the “This is Your Digital Life” app by allowing the app to access the Graph API.

50The Commissioner noted that the respondents might contend that, because the CommissionerhasnotidentifiedwithprecisiontheidentitiesoftheAustralian individuals affected andtheparticularinformationallegedlycollectedandheldaboutthem,the Court could not conclude that the information was infact “personalinformation”:PrivacyCommissionervTelstraCorporationLtd(2017)249FCR24 at [63] (Kenny and Edelman JJ). In this context, it should be noted that the respondents themselves have not been able to provide the Commissioner with the identities of the relevant individuals, but have acknowledged that Australians have been affected. This fact does not negate the existence of a prima facie case.

APP 11.1 – Integrity of personal information

51APP11.1 (contained in Part4ofSchedule1)provides:

Part 4 – Integrity of personal information

…

11 Australian Privacy Principle 11—security of personal information

11.If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

(a)from misuse, interference and loss; and

(b)from unauthorised access, modification or disclosure.

52The Commissioner contended that, having regard to the respondents’ size and resources, as well as the sensitivity of the personal information it collected and held, the steps that the respondents should have taken to comply with APP 11.1 included at least thefollowing:

53In respect of the first matter set out above, the Commissioner submitted that, in order toprotectthe users’ personalinformationfromunauthoriseddisclosure, the respondents were required to take steps akin to the “App Review”process in respect of third-party apps that sought to access the Graph API. She submitted that, to the extent that those steps werenottakenwithrespecttothosethird-partyappswhichaccessedGraphAPIV1,the respondents breached APP 11.1. It was insufficient and unreasonable, so it was submitted, for the respondents merely to devolve to third-party apps compliance with the terms of Facebook’s policies without Facebook undertaking any investigation into the nature of the apps accessing version 1 of the Graph API and the purposes for which those apps sought access. The Commissioner noted that the reasonableness of each of the above steps wouldneedtobeassessed at the final hearing.

54The Commissioner contended that:

(1)the failure of Facebook Inc and Facebook Ireland to take the steps identified above, was an act or practice that was a serious interference with the privacy of the affected individuals contravening s 13G(a); and

(2)the repeated and consistent failure, over the relevant period, of Facebook Inc and Facebook Ireland to take the steps identified above to prevent the unauthorised disclosure of the personal information of the affected individuals contravened s 13G(b).

C.4.5Conclusion with respect to r 10.43(4)(c)

55A sufficient prima facie caseon the basis articulated by the Commissioner has been shown, in the sense earlier described, to warrant service outside of Australia. At the risk of repetition that is not to say anything about the strength of the case. Rather, the material demonstrates a genuine argument about contravention, sufficient to justify causing the respondents to be subject to the litigation in Australia where the merit of that argument can be judicially determined.

56It is to be recognised that there are defences which might be available to the respondents. The fact that defences might be available does not, in the circumstances of this case, undermine the existence of the prima facie case. For example, APP 6.1(a),read with the definition of “consent” in s 6(1) of the Privacy Act, contains a defence for an APP entity to use or disclose personal information for a secondary purpose where the individual has expressly or impliedly consented to the use or disclosure. It may be that there will be an argument about whether this defence is available at least in respect of certain individuals. It is not possible, however, on the material on this application to conclude thatfriends of an installer, being friends who didnot install the app,relevantly provided consent.

59The Commissioner pointed to the following discretionary matters as favouring the exercise of the discretion to order service outside Australia:

(1)First, correspondence and a media report indicate that the respondents are aware of the proceedings and of the fact that the Commissioner proposed to make this interlocutory application:

King & Wood Mallesons (KWM) had represented the respondents during the Commissioner’s inquiries, culminating in the commencement of the proceeding. On 6 March 2020, the Australian Government Solicitor (AGS) emailed KWM to request confirmation of whether KWM had instructions to accept service of the originating process. On 6 March 2020, KWM emailed AGS advising that KWM acted for the respondents but were not instructed to accept service on their behalf; and stating that, in order to serve the respondents, the Commissioner would need to comply with relevant requirements for service at their respective domiciles in the United States and Ireland. The letter also made clear that KWM had instructions to discuss the substantive issues raised in the proceedings.

On 9 March 2020, AGS emailed KWM attaching sealed copies of the originating application, statement of claim and concise statement, asking KWM to draw these to their clients’ attention, and inviting the respondents to reconsider their position in respect of service so as to avoid the delay and expense that would be caused by an application by the Commissioner to serve the above documents outside the jurisdiction. On 12 March 2020, KWM emailed AGS advising that KWM did not have instructions in relation to the matters raised in the documents that AGS provided on 9 March 2020.

On 10 March 2020, a media report attributed comments, which I infer were related to the proceeding, to a Facebook spokesperson.

(2)Contemporary developments in communications and transport make the degree of “inconvenience and annoyance” to which a foreign defendant would be put, if brought into the courts of this jurisdiction, “of a qualitatively different order to that which” prevailed at the time of earlier decisions considering these issues: Agar v Hyde (2000) 201 CLR 552 at 571 (Gaudron, McHugh, Gummow and Hayne JJ).

60There are no compelling countervailing considerations suggesting that an order for service out of Australia should not be made.

C.6Conclusion

61Given that the relevant requirements have been met, including those in r 10.43(3) and (4), and that there is no good reason not to make the order, the discretion should be exercised to grant leave to the Commissioner to serve the respondents outside Australia with the various documents specified in the interlocutory application.

DSUBSTITUTED SERVICE

62The Commissioner applies for substituted service under r 10.24.

63Rule 10.49 provides for substituted service if service on the person in a foreign country inaccordancewithaconvention,theHagueConventionorthelawofaforeigncountry “was not”successful. This implies that some attempt must first be made. The power in r 1.34 could be exercised to dispense with compliance with the implied requirement in r 10.49 that, before substituted service under that that rule be ordered, an attempt at servicefirst be made, although it has been said thatsuch cases are likely to be rare, for example perhaps “where there is real urgency for service and where the evidence suggests an impossibility or serious impracticability in service by the means contemplated in the Convention”: Park (Trustee) v Tschannen (Bankrupt) [2016] FCA 137 at [18] (Edelman J). The Commissioner didnot expressly apply for substituted service under r 10.49.

64Rule 10.45 provides:

The other provisions of Part 10 apply to service of a document on a person in a foreign country in the same way as they apply to service on a person in Australia, to the extent that they are:

66This Court has held, in circumstances analogous to the present,that an order for substituted service may be made under eitherr 10.24 or r 10.49: Commissioner of Taxation v Zeitouni(2013) 306 ALR 603 at [60] (Katzmann J); see also: AustralianCompetitionandConsumerCommissionvKokosInternationalPtyLtd[2007]FCA 2035at[18](FrenchJ);CommissionerofTaxationvOswal[2012]FCA1507at[32](Gilmour J). Even if that position is incorrect, I would have ordered substituted service under r 10.49, with a dispensation from the implicit requirement to attempt service under r 1.34, for equivalent reasons to those for which I will order substituted service under r 10.24, explained next.

67Rule10.24providesthatapersonmayapplyforanorderif“itisnotpracticabletoserve a document on a person in a way required by theseRules”. In Commissioner of Taxation v Caratti (No 2) [2018] FCA 1500 at [10], Colvin J observed:

The preponderance of authority is to the effect that the current rule requires the applicant for orders for substituted service to demonstrate that it is not sensible orrealistictoeffectpersonalserviceeventhoughitmaybepossibleorfeasibleto do so. This will usually be done by taking steps to effect personal service and providing evidence as to any difficulties that have arisen in doing so. It is not necessarytogosofarastodemonstratethatthereisaninabilitytoeffectpersonal service or that it would be extraordinarily difficult to do so. Further, there must be a proper evidential basis upon which to conclude that in all probability the mode of substituted service that is proposed will bring the relevant documents to the attention of the party to beserved.

Inthecontextofr10.23(a),theword‘practicable’hasawidemeaningwhichwill depend on the circumstances of the particular proceeding: Australian Securities andInvestmentsCommissionvChinaEnvironmentGroupLtd[2013]FCA286at[11]-[15]. Rule 10.23 does not require the applicant to prove the impossibility of service of documents upon a party in accordance with the rules, or that further attempts to effect service in accordance with the rules would be futile or not sensible or feasible: Speedo Holdings BV v Evans [2011] FCA 1089 at [12]. The question is not whether reasonable effort has been shown by the applicant over a particular period, but whether at the date on which the application regarding service is made, the applicant, using reasonable effort, is unable to serve the respondentpersonally:FoxevBrown(1984)58ALR542at547asappliedinO'Neil v Acott(1988) 59 NTR 1 at 2. Evidence of attempts to serve, attempts to speak by telephoneandlackofknowledgeofwhereaboutswillberelevanttothequestion of practicability: see egRoss v Cotter [2015] FCA 310 at[2].

69The Court takes judicial notice under s 144(1)(a) of the Evidence Act that COVID-19 is presently spreading globally; it has been declared a pandemic by the World Health Organisation and is directly affecting the USA and Ireland, the two jurisdictions in which documents are sought to be served. The evidencealsoaddressesthesematters. These circumstances inform the Court’s view of what is “practicable”.

70An extract from ABC Legal’s website indicates that ABC Legal, the contractor for the USA Department of Justice, Civil Division, Office of International Judicial Assistance, and the entity through which it is proposed to serve the Court Documents on Facebook Inc, has “suspended service of process nationwide” across the USA in response to the COVID-19 pandemic. This means it is not practicable to effect service of Facebook Inc pursuant to art 5 of the Hague Convention without substantial difficulty.

71As the Commissioner frankly conceded, the impracticability of service in accordance with the Hague Convention in the Republic of Ireland is not as strong. There is a National Public Health Emergency in the Republic of Ireland. However, the High Court of Ireland and postal services in the country remain operative. The Hague Convention permits service of the court documents on Facebook Ireland by post.The Commissioner submitted, however, that given the rapidly evolving nature of the COVID-19 pandemic globally, and having regard to various discretionary matters referred to earlier, the Court ought be satisfied that it would not be practicable to serve Facebook Ireland in accordance with the Hague Convention.

72A consideration against ordering substituted service arises out of principles of international comity. There is an applicable agreed regime for service outside the jurisdiction. That agreed regime is subverted where jurisdiction is exercised permitting a party to substitute an alternative form of service – cf: Laurie v Carroll (1958) 98 CLR 310 at 325. I take that fact into account.

73The proposed method of substituted service is to email the various documents to identified individuals at KWM. As both respondents have retained KWM in connection with the events giving rise to the proceedings and KWM has recently confirmed that it acts for both respondents, substituted service is very likely to bring the documents to the respondents’ attention.

74It is also proposed that the Court Documentsbe emailed to a named individual being the Head of Data Protection and Privacy and Associate General Counsel at “Facebook” located in Ireland. As the Commissioner submitted, that individual appears to be a person of appropriate senior authority within Facebook Ireland and is the person with whom the Commissioner corresponded throughout her preliminary inquiries. There is little in the way of practical difference between service by post and service by email.

75Orders for substituted service pursuant to r10.24 of the Rules should be made. It is not presently practicable to effect service on Facebook Inc pursuant to art 5 of the Hague Convention. It is presently possible to serve Facebook Ireland in accordance with Hague Convention. However, it is impracticable to do so in the rapidly changing and evolving environment caused by the current pandemic; the present situation may have changed by the time service in the relevant way would be sought to be effected. The proposed method of substituted service is plainly likely to bring the proceeding to the attention of the respondents. Indeed, I infer that the respondents are aware of the proceeding. That inference arises from the correspondence between the parties identified above and the media article. I note that KWM held instructions on 6 March 2020 to discuss the foreshadowed proceeding with the Commissioner’s legal representatives, “including to satisfy the requirements inherent in section 37N of the Federal Court of Australia Act 1976 (Cth) and the Civil Dispute Resolution Act 2011 (Cth)”.

ECONCLUSION

76For the reasons given, interim orders should made under s 37AI of the FCA Act. Orders should be made granting leave to the applicant to serve the respondents outside Australia. Orders should be made for substituted service.

I certify that the preceding seventy-six (76) numbered paragraphs are a true copy of the Reasons for Judgment herein of the Honourable Justice Thawley.